Cisco Cisco Web Security Appliance S360 User Guide
Chapter 26 System Administration
Installing a Server Digital Certificate
26-34
Cisco IronPort AsyncOS 7.0 for Web User Guide
OL-23079-01
•
It must include a matching private key in PEM format. DER format is not
supported.
supported.
•
The private key must be unencrypted.
The Web Security appliance cannot generate Certificate Signing Requests (CSR).
Therefore, to have a certificate created for the appliance, you must issue the
signing request from another system. Save the PEM-formatted key from this
system because you will need to install it on the appliance later.
Therefore, to have a certificate created for the appliance, you must issue the
signing request from another system. Save the PEM-formatted key from this
system because you will need to install it on the appliance later.
You can use any UNIX machine with a recent version of OpenSSL installed. Be
sure to put the appliance hostname in the CSR. Use the guidelines at the following
location for information on generating a CSR using OpenSSL:
sure to put the appliance hostname in the CSR. Use the guidelines at the following
location for information on generating a CSR using OpenSSL:
http://www.modssl.org/docs/2.8/ssl_faq.html#ToC28
Once the CSR has been generated, submit it to a certificate authority (CA). The
CA will return the certificate in PEM format.
CA will return the certificate in PEM format.
If you are acquiring a certificate for the first time, search the Internet for
“certificate authority services SSL server certificates,” and choose the service that
best meets the needs of your organization. Follow the service’s instructions for
obtaining an SSL certificate.
“certificate authority services SSL server certificates,” and choose the service that
best meets the needs of your organization. Follow the service’s instructions for
obtaining an SSL certificate.
Note
You can also generate and sign your own certificate. Tools for doing this are
included with OpenSSL, free software from
included with OpenSSL, free software from
http://www.openssl.org
.
Intermediate Certificates
In addition to root certificate authority (CA) certificate verification, AsyncOS
supports the use of intermediate certificate verification. Intermediate certificates
are certificates issued by a trusted root CA which are then used to create
additional certificates. This creates a chained line of trust. For example, a
certificate may be issued by example.com who, in turn, is granted the rights to
issue certificates by a trusted root CA. The certificate issued by example.com
must be validated against example.com’s private key as well as the trusted root
CA’s private key.
supports the use of intermediate certificate verification. Intermediate certificates
are certificates issued by a trusted root CA which are then used to create
additional certificates. This creates a chained line of trust. For example, a
certificate may be issued by example.com who, in turn, is granted the rights to
issue certificates by a trusted root CA. The certificate issued by example.com
must be validated against example.com’s private key as well as the trusted root
CA’s private key.